Method for authenticating a user in a terminal, an authentication system, a terminal, and an authorization device

ABSTRACT

The invention relates to a method for authenticating the user of a terminal ( 5 ), in which terminal a device ( 15 ) for verifying the rights to use is applied for running an authentication protocol. The device ( 15 ) for verifying the rights to use is connected to the terminal ( 5 ). In the device ( 15 ) for verifying the rights to use, an extendable authentication protocol interface is applied, via which at least some of the authentication functions are carried out.

[0001] The present invention relates to a method for authenticating theuser of a terminal, the terminal applying an authorization device, andthe authorization device being connected to the terminal. The inventionalso relates to an authentication system which comprises a terminal withmeans for coupling an authorization device at least for authentication,and the authorization device being equipped with means for implementingan authentication protocol. The invention also relates to a terminalwith means for coupling an authorization device, at least forauthentication, and the authorization device being equipped with meansfor implementing an authentication protocol. Furthermore, the inventionrelates to an authorization device, to be used for user authentication,the authorization device comprising means for implementing anauthentication protocol. The invention further relates to a computerprogram comprising machine executable steps for authenticating the userof a terminal equipped with a device for verifying the rights to use,the device for verifying the rights to use being applied for running anauthentication protocol, and to a storage medium for storing a computerprogram comprising machine executable steps for authenticating the userof a terminal equipped with a device for verifying the rights to use,the device for verifying the rights to use being applied for running anauthentication protocol.

[0002] In this description, the authorization device refers to afunctional device which has means for verifying the rights to use afunction and/or a device before the device is operable and/or inconnection with the use of the device. Such devices for verifying, to bementioned in this context, include so-called smart cards which typicallycomprise a processor, a memory and connecting means. The smart card isprovided with software or the like for processing inputs entered in thesmart card and for generating responses. Such smart cards are used, forexample, in mobile stations, as pay cards, as electronic identificationcards, etc. Furthermore, there are known devices for verifying therights to use, to prevent the use of copied software. Such a verifyingdevice (called “dongle” or “hardlock”) is placed, for example, in theprinter connection of a computer, wherein the software includes asecurity program which investigates, for example, if the verifyingdevice is coupled in the printer connection and, if necessary, it alsoexamines the identification (e.g. a licence number) possibly stored inthe verifying device. Although, below in this description, such devicesfor verifying the rights to use will be primarily called smart cards, itis obvious that the invention is not limited to be used in smart cardsonly.

[0003] Terminals are known, to which it is possible to connect a smartcard to be used, for example, for user authentication. Theauthentication may be necessary e.g. to prevent unauthorized personsfrom using the terminal or performing such functions on the terminalwhich other persons than the authorized user of the terminal have noright to use. The authentication functions are normally arranged atleast partly in connection with the smart card, wherein the terminaltransmits the identification data entered by the user to the smart card.The identification data used is, for example, a user name and a passwordor a personal identity number (PIN). The smart card is provided with anauthentication protocol which is run by applying, as authenticationparameters, the identification data transmitted from the terminal. Bymeans of the protocol, for example a reference number is computed, whichis compared with the identity number stored on the smart card. Thus,when these numbers match, it is assumed that the user is the personhe/she claims to be.

[0004] A smart-card based solution can also be used when the user islogged in a data network with a terminal. The data network is providedwith an authentication server or the like, in connection with which arestored identification data of registered users, such as their name, useridentification and password. Thus, the authentication server and thesmart card communicate by means of the terminal and the data network.Also in such a solution, it may be necessary to identify the user firstin connection with turning on of the terminal, after which a secondauthentication is performed in the authentication server of the datanetwork. This second authentication is based on the use of apredetermined authentication protocol as well as authenticationalgorithms. Thus, the program codes necessary for running thisauthentication protocol are stored in the terminal and in the datanetwork The authentication algorithm is stored in the authenticationserver as well as in the smart card.

[0005] In the data network, the authentication can be performed forexample by sending a log-in request from the terminal to the datanetwork, in which the log-in request is transmitted to theauthentication server. The authentication server forms a challenge, orthe like, by means of a predetermined authentication algorithm. Afterthis, the authentication server transmits a log-in response message tothe terminal in which said challenge is included either as such or inencrypted form. Further, the authentication of this message can beverified by a digital signature which the smart card can check afterreceiving the log-in response message. Next, the smart card produces aresponse number on the basis of the user identification data and thereceived challenge, by means of a predetermined authenticationalgorithm. The response number is transmitted to the authenticationserver which is capable of forming an expected number on the basis ofthe user identification data stored in the authentication server and thechallenge formed by it. The authentication server can compare thereceived response number and the expected response number and, from theresults of the comparison, deduce whether the data used in the formationof the received response number match with the data used in theformation of the expected response number. If the data match, it can beassumed that the user has been correctly authenticated and the user maystart to use the data network. A method of the above-presented kind isused, for example, in the GSM mobile communication system and in theUMTS mobile communication system during login of a mobile station in themobile communication network. The smart card used in the GSM mobilecommunication system and in the UMTS mobile communication system is theso-called SIM card (subscriber identity module) and the USIM card (UMTSsubscriber identity module), respectively. As the authentication server,an authentication centre AuC is used. The SIM cards contain a mobilecommunication network operator specific authentication algorithm.

[0006] In smart-card based solutions, the user data and theauthentication algorithm can be changed by replacing the smart card witha new smart card provided with a new authentication algorithm. In acorresponding manner, this new authentication algorithm must beinstalled in the authentication server, if it is not already installed.

[0007] A problem in the above-presented solutions of prior art is, interalia, that the authentication protocol cannot be changed simply bychanging the smart card. For example, different authentication protocolsare used in GSM mobile communication systems and UMTS mobilecommunication systems, wherein a mobile communication device complyingwith the GSM mobile communication system cannot be updated to use anidentification protocol used in the UMTS mobile communication systemsimply by changing the smart card. Thus, the changes in theauthentication protocol also require changes at least in the terminalsoftware and, if necessary, in the software of the authenticationserver.

[0008] The user of a mobile communication device may move within therange of different mobile communication networks. Thus, when the user isin another network than his/her home network, the authentication isperformed in such a way that the roaming network transmits the messagesaccording to the authentication protocol between the terminal and theauthentication centre of the home network. The authentication is thusperformed by the authentication centre of the home network. Thus, theauthentication algorithm can be set to be operator-specific e.g. in GSMmobile communication systems and in UMTS mobile communication systems,because all the values to be used in the authentication are formed inthe home network. The roaming network does not need to know thealgorithm because its function is only to compare the figures. Tomaintain the operability of mobile communication devices in differentmobile communication networks, the authentication protocol cannot be setto be operator-specific when using solutions of prior art.

[0009] Communication networks are also known, in which it is possible tocouple a work station in a so-called home network, for example by meansof an optional telephone network. Some of these so-called dial-upnetworks apply an extendable authentication protocol (EAP). In suchsystems, the purpose of the roaming network is only to transmit messagescomplying with the EAP protocol between the terminal and theauthentication centre of the home network. The roaming network does notneed to be capable of interpreting messages complying with the EAPprotocol. A new authentication protocol or algorithm can be introducedwithout changing the roaming network at all. However, the terminal mustbe changed, because the software required by the new EAP protocol typemust be updated in solutions of prior art.

[0010] The EAP is a standard defined by the Internet Engineering TaskForce IETF for the extended authentication protocol to be used inconnection with a point-to-point protocol (PPP), and its more specificdefinition is presented e.g. in the IETF document rfc2284.txt. Thestandard comprises the definitions for the structure of messages to beused for authentication. The EAP message comprises a header field and adata field. The header field defines, for example, the type,identification and length of the message. The messages are transmittedin message frames of the PPP protocol used-in the data link layer.

[0011] It is an aim of the present invention to provide an improvedmethod for user authentication. The invention is based on the idea thata smart card is provided with an extendable authentication protocolinterface (EAP IF), through which the authentication functions areperformed on the smart card. To be more exact, the method according tothe present invention is primarily characterized in that theauthorization device applies an extendable authentication protocolinterface, through which at least some of the authentication functionsare implemented. The system according to the present invention isprimarily characterized in that the authorization device is providedwith an extendable authentication protocol interface as well as withmeans for implementing at least some of the authentication functions viasaid extendable authentication protocol interface. The terminalaccording to the present invention is primarily characterized in thatthe authorization device is provided with an extendable authenticationprotocol interface as well as with means for implementing at least someof the authentication functions via said extendable authenticationprotocol interface. Furthermore, the authorization device according tothe present invention is primarily characterized in that theauthorization device is provided with an extendable authenticationprotocol interface as well as with means for implementing at least someof the authentication functions via said extendable authenticationprotocol interface. The computer program according to the presentinvention is primarily characterized in that the computer programfurther comprises machine executable steps for applying an extendableauthentication protocol interface in the device for verifying the rightsto use, including machine executable steps for processing at least someof the authentication functions through the extendable authenticationprotocol interface. The storage medium according to the presentinvention is primarily characterized in that the computer programfurther comprises machine executable steps for applying an extendableauthentication protocol interface in the device for verifying the rightsto use, including machine executable steps for processing at least someof the authentication functions through the extendable authenticationprotocol interface. The authentication protocol interface to be used inconnection with the present invention is extendable in the sense thatany authentication protocol can be implemented by using said interfacewithout changing the interface or the terminal software or the device inany way.

[0012] The present invention shows remarkable advantages compared tosolutions of prior art. When applying the method according to theinvention, the authentication protocol to be used for userauthentication can be changed by changing the smart card. Thus, there isno need to update software in the roaming network or in the terminal. Inthis way, for example in mobile communication networks, theauthentication protocol can be operator-specific, because theauthentication centre of the home network is used as the authenticationcentre. Thus, a different authentication protocol may be used in theroaming network than in the user's home network. As there is no need toupdate software, the transmission of update files is avoided, which iscomplicated and difficult to control.

[0013] In the following, the invention will be described in more detailwith reference to the appended drawings, in which

[0014]FIG. 1 shows an authentication system according to a preferredembodiment of the invention in a reduced chart,

[0015]FIG. 2 shows a wireless terminal according to a preferredembodiment of the invention in a reduced block chart,

[0016]FIG. 3 shows a smart card according to a preferred embodiment ofthe invention in a reduced block chart,

[0017]FIG. 4 shows the method according to a preferred embodiment of theinvention in a signalling chart, and

[0018]FIGS. 5a to 5 e show some messages to be used in the systemaccording to an advantageous embodiment of the invention.

[0019] In the following detailed description of the invention, theauthentication system of a mobile communication network 2 is used as anexample of an authentication system 1, but the invention is not limitedto be used solely in connection with mobile communication networks. Themobile communication network 2 is, for example, a GSM mobilecommunication system or a UMTS mobile communication system, but it isobvious that the invention can also be used in other communicationsystems.

[0020] The present invention can also be applied in connection withUMTS-SIP authentication which applies a protocol complying with the EAPstandard, as well as in systems applying the IEEE 802.1X authenticationprotocol. Said protocol is also being introduced in wireless local areanetworks (WLAN), and it is based on the application of a protocolcomplying with the EAP standard.

[0021] The authentication system comprises an authentication server 3,such as an authentication centre AuC for a mobile communication network.The authentication system also comprises communication means 4 fortransmitting the data required in the authentication between theterminal 5 and the authentication server 3. The communication meanscomprise, for example, base stations 6, base station controllers 7 aswell as one or more mobile switching centres 8 in a mobile communicationnetwork 2. The authentication server 3 can be a separate serverconnected to the mobile communication network 2, or it can be arrangede.g. in connection with the mobile switching centre B.

[0022]FIG. 2 shows a terminal 5 which complies with an advantageousembodiment of the invention and which can be used in the authenticationsystem of FIG. 1. In this advantageous embodiment of the invention, theterminal 5 comprises e.g. mobile communication means 9 for communicationwith the mobile communication network 2, a user interface 10, a controlblock 11, memory means 12, 13, as well as connection means 14 forconnecting a smart card 15 to the terminal 5. The memory meanspreferably comprise a read only memory (ROM) 12 as well as a randomaccess memory (RAM) 13. The connecting means 14 for connecting the smartcard 15 can be, in practice, implemented in a variety of ways. Onepossibility is to use a physical connection, wherein the connectingmeans 14 comprise connectors or the like which are coupled tocorresponding connectors in the smart card 15 when the smart card 15 isinstalled in the terminal 5. These connecting means can also be based ona wireless connection, wherein the connecting means 14 and the smartcard 15 comprise wireless communication means (not shown), such as radiocommunication means (e.g. Bluetooth™, WLAN), optical communication means(e.g. infrared), acoustic communication means, and/or inductivecommunication means.

[0023] In the terminal 5, preferably in the software of the controlblock 11, there is also implemented a protocol stack for making thenecessary protocol conversions when messages are being transmitted fromthe mobile communication network 2 to the terminal 5 and from theterminal 5 to the mobile communication network 2.

[0024]FIG. 3 shows a smart card 15 which complies with an advantageousembodiment of the invention and which can be used e.g. in connectionwith the terminal 5 shown in FIG. 2. The smart card 15 preferablycomprises e.g. a processor 16, memory means, such as a read-only memory17 and a random access memory 18, as well as connecting means 19.

[0025] As the read-only memory 12, 17 it is possible to use, forexample, a one time programmable ROM (OTP-ROM; programmable ROM or PROM)or an electrically erasable programmable ROM (EEPROM; Flash). Also, aso-called non-volatile RAM can be used as the readonly memory. As therandom access memory 13, 18, it is preferable to use a dynamic randomaccess memory (DRAM) and/or a static random access memory (SRAM).

[0026] For example, the user authentication algorithm to be run when theterminal is turned on, as well as the terminal user authenticationalgorithm to be run during its login in the mobile communication network2, are stored in the read-only memory 17 of the smart card. Furthermore,the read-only memory 17 of the smart card contains stored functions ofthe extendable authentication protocol interface which will be describedbelow in this description. Furthermore, in a way known as such, theread-only memory 17 of the smart card contains other program commandswhich are necessary for controlling the functions of the smart card.

[0027] In a corresponding manner, the read-only memory 12 of theterminal contains stored program commands required for controlling thefunctions of the terminal 5, program commands required for communicationbetween the smart card 15 and the terminal 5, program commands requiredin connection with mobile communication functions, control commands ofthe user interface, etc. However, it is not necessary to storeauthentication protocol functions in the terminal 5, because in thesystem of the present invention, these functions are performed in theextendable authentication protocol interface implemented on the smartcard.

[0028] In the extendable authentication protocol interface presented inthis invention, it is possible, for example, to implement an operationby which the smart card is requested for the user identification, aswell as an operation by which a request message, such as an EAP request,can be entered in the smart card. Thus, the function of the smart cardis to form a response (e.g. an EAP response) to this message. Theterminal and the roaming network can be implemented in such a way thatit is possible to carry out more than one exchange of request andresponse messages before the authentication result is found out.Furthermore, the smart card preferably contains an operation by whichkey material formed in connection with the authentication can beprovided for use by the terminal. After this, the key material can beused for encryption of information to be transmitted, for example, viathe radio channel, which is presently used in e.g. the GSM and UMTSmobile communication networks.

[0029] At the stage when the terminal 5 is turned on, it is possible toperform user verification, known as such, for example so that theterminal 5 displays, on the display 20 of the user interface 10, anotice where the user is requested to enter a personal identity number(PIN). After this, the user enters, e.g. with the keypad 21 of the userinterface 10, his/her password which is transmitted by the terminalcontrol block 11 to the smart card 15. On the smart card 15, theprocessor 16 checks up the password in a way known as such, by means ofuser data and an algorithm arranged for the checking, which have beenstored in the readonly memory 17 of the smart card. If the password wascorrectly entered, the terminal 5 can be turned on.

[0030] After the turning on, it is possible to start login in thenetwork, if the signal of a base station 6 in the mobile communicationnetwork 2 can be received in the terminal 5. If it is possible to log inthe network, the transmission of messages (signalling) required forlogin is started, which is known as such. During the login, a locationupdate (LA) is performed, if necessary. Furthermore, in the loginprocess, a transmission channel and a receiving radio channel areallocated for signalling, to be used by the terminal and the basestation in the communication. In connection with the login, the terminalis authenticated, which is shown in a reduced manner in the signallingchart of FIG. 4. The authentication server 3 of the mobile communicationnetwork 2 generates a login request 501, of which an advantageousexample is shown in FIG. 5a.

[0031] The login request is preferably a message which complies with theextendable authentication protocol and comprises certain recordscontaining values which can be changed to form several differentmessages, using substantially the same record structure. The messagepreferably comprises a header field and a data field. The header fieldcontains, inter alia, the following data records: a code record 502 fortransmitting information about whether the message is a request, aresponse, a success or a failure; an identification record 503 which isused for identifying the messages e.g. in such a way that successivemessages should contain different identification data, except when thesame message is retransmitted; furthermore, a length record 504indicates the length of the message. The data to be transmitted in thedata field depends, for example, on the purpose of use of the message.In the system according to an advantageous embodiment of the presentinvention, the data field contains a type data record 505 whichindicates the type of the message in question. For example, on the basisof the EAP type number, the terminal 15 can determine which smart card15 or program module will process the EAP type (or authenticationprotocol) in question. The other data records contained in the messageare: type-specific and may contain, for example, data which are specificto the authentication protocol used, such as various challenges,responses, digital signatures or verifications, message authenticationcodes, etc.

[0032] With the login request, the authentication server 3 requests theterminal 5 to transmit its own identification data. The transmission ofthe login request is indicated by arrow 401 in FIG. 4. The mobilecommunication means 9 of the terminal 5 perform the necessary operationsto convert radio-frequency signals to baseband signals in a way known assuch. The login request is transmitted in the terminal 5 to the smartcard 15, in which the message is processed in the extendableauthentication protocol interface. In practice, this means that theprocessor 16 of the smart card receives the login request and runs thenecessary operations. The processor 16 of the smart card generates aresponse in which the data field contains identification data of theuser of the terminal, preferably an international mobile subscriberidentifier (IMSI). This international mobile subscriber identifiercontains a mobile country code (MCC), a mobile network code (MNC) aswell as a mobile subscriber identification number (MSIN). In eachSIM-type smart card 15, this identifier IMSI is unique, wherein themobile subscriber can be identified on the basis of this identifierdata.

[0033] In a case complying with the EAP standard, the identifier istransmitted in an EAP response/identity packet, in which the identity inthe roaming network is a so-called network access identifier (NAI). Inan advantageous embodiment of the invention, the user identifier (e.g.IMSI) is transmitted in encoded format in this network identifier. In ageneral case, the network identifier is a character sequence whichidentifies the subscriber. It may contain an operator identifier,wherein it is in a form resembling an e-mail address: user identifier@operator.countrycode.

[0034] After the reply message has been formed in the smart card 15, thesmart card 15 transmits this message via the smart card connecting means19 to the terminal connecting means 14. The terminal control block 11reads the message, makes the necessary protocol conversions, andtransmits the message to the mobile communication means 9, to beconverted to radio-frequency signals. The terminal 5 can now transmit alogin request to the base station 6 (arrow 402). The login request isreceived at the base station 6, from which it is transferred via thebase station controller 7 to the mobile switching centre 8. The mobileswitching centre 8 transmits the message further to the authenticationserver 3. After this, the message is examined in the authenticationserver 3.

[0035] In the mobile communication network, the response is transmittedto the respective user's home network, in which the authenticationserver 3 processes the received response and checks the subscriber datae.g. from a home location register HLR. After the user's subscriber datahave been checked from a database, the user authentication process isstarted, to verify that the user is really the person whose subscriberdata are given in the response. The authentication server 3 continuesthe authentication process by forming an authentication start message,whose data field contains transmitted information, for example, aboutthe protocol versions supported by the authentication server 3 (arrow403). An advantageous form of this message is shown in the appended FIG.5b.

[0036] In the terminal 5, the message is transmitted to the extendableauthentication protocol interface of the smart card 15 where, forexample, the protocol version data transmitted in the message areexamined. If one or several protocols available at the authenticationserver 3 are also available on the smart card 15, one of these protocolsis selected in the smart card 15 to be used in further steps of theauthentication process. Furthermore, this protocol may also define theauthentication algorithm to be used for authentication.

[0037] It is obvious that the above-presented transmission of messagesis only one example of how the present invention can be applied. Thenumber of messages processed by the smart card 15 may be different fromthat given in the presented example. In a general case, various requests(e.g. an EAP request) are transmitted from the communication network tothe terminal 5 and guided by the software of the terminal 5 to the smartcard 15. The smart card 15 generates responses (e.g. an EAP response)which the terminal 5 transmits to the roaming network and from therefurther to the authentication server 3 of the home network. The numberof these requests and responses is not limited, and they only need to beintelligible to the smart card 15 and the authentication server 3.

[0038] In general, authentication protocols are based on the rule thatthe authenticating device and the device to be authenticated apply thesame authentication algorithm in which the same figures are used asinputs. For example, in the GSM mobile communication system, each mobilesubscriber is allocated a secret key Ki which is stored on the SIM card.Furthermore, this secret key is stored in the home location register ofthe mobile subscriber. The authentication algorithm computes a responsenumber, wherein by comparing the response numbers formed by theauthenticating device and the device to be authenticated, it is possibleto authenticate the other party with a high probability. To reduce thepossibility of misuse to a minimum, all the figures to be input in theauthentication algorithm are not transmitted between the devices butthey are stored in the device and/or in a database where they can beretrieved by the device. In particular, said secret key is nottransmitted at any stage in the mobile communication network. In thismethod according to an advantageous embodiment of the invention, thefollowing steps are taken.

[0039] The smart card 15 selects a first random number NONCE_MT by anymethod. Furthermore, a period of validity can be selected for the key tobe defined in the authentication process. Information about the selectedauthentication protocol, said first random number NONCE_MT as well asthe period of validity which was possibly selected are transmitted in alogin response to the authentication server 3 by applying theabove-presented message transmission mechanisms (arrow 404). Anadvantageous form of this message is shown in the appended FIG. 5c.

[0040] The authentication server 3 retrieves n number (n≧1) of GSMtriplets, each triplet comprising a second random number RAND, a signedresponse SRES and an encryption key Kc from the home location registerHLR. The authentication server 3 retrieves the GSM triplets from thehome location register HLR using the GSM roaming network and the MobileApplication Part (MAP) protocol, as known in the prior art. Furthermore,using one or several authentication algorithms corresponding to theselected authentication protocol, the authentication server 3 computes asession key K as well as a first authentication code MAC_RAND. Theparameters used in this computation are preferably the encryption keyn*Kc, the random numbers n*RAND, the international mobile subscriberidentifier IMSI, and the first random number NONCE_MT. For the key, theauthentication server 3 may accept the period of validity suggested bythe smart card 15, or it may select another period of validity. In acheck-up start message to the terminal 5, the authentication server 3transmits one or more random numbers n*RAND selected by it, the firstauthentication code MAC_RAND computed by it, as well as data about theperiod of validity selected for the key (arrow 405). An advantageousform of this message is shown in the appended FIG. 5d.

[0041] In the extendable authentication protocol interface of the smartcard 15 of the terminal 5, the same authentication algorithm is run in acorresponding manner, using as the parameters the first random numberNONCE_ME selected by the smart card 15, a given number of encryptionkeys n*Kc, second random numbers n*RAND selected by the authenticationserver 3, as well as the international mobile subscriber identifier IMSI(block 406). The result of the authentication algorithm is compared withthe first authentication code MAC_RAND computed in the authenticationserver 3 and transmitted to the smart card 15. If the comparison showsthat the result of the computation of the authentication algorithm isthe same on the smart card 15 and in the authentication server 3, it canbe assumed on the smart card that the check-up start message transmittedby the authentication server was really transmitted by saidauthentication server 3 and that the random numbers in it are reliable.If the comparison shows that the computed numbers do not match, theauthentication functions are preferably stopped on the smart card 15 andthe terminal 5 is not registered in the mobile communication network, orin case of an authentication to be made in connection with the use of aservice, the use of the service is prevented.

[0042] In a situation in which the comparison shows that the randomnumbers are reliable, the smart card 15 forms signed responses SRES.This is performed with an algorithm which corresponds to that in theauthentication server 3, by using, as the pararmeters, the encryptionkeys n*Kc and the second random numbers n*RAND selected by theauthentication server 3. The computed signed responses n*SRES as well aspreferably the international mobile subscriber identifier IMSI and thefirst random number NONCE_MT can then be used for computing the secondauthentication code MAC_SRES with an algorithm. To the check-up startmessage, the smart card 15 forms a response which is transmitted to theauthentication server 3 (arrow 407). In this response, the secondauthentication number MAC_SRES computed on the smart card istransmitted. An advantageous form of this message is shown in theappended FIG. 5b. The authentication server 3 can make a correspondingcomputation and compare the authentication number computed by it withthe second authentication number MAC_SRES transmitted from the smartcard 15. If the authentication numbers match, the authentication server15 can assume that the user is really the person whose internationalmobile subscriber identifier was transmitted from the smart card 15 ofthe terminal to the authentication server 3. At the end of a successfulauthentication process, the authentication server 3 transmitsinformation about this to the terminal 5 (arrow 408). In this samemessage, the authentication server 3 can also transmit a session key Kto the terminal 5.

[0043] It is obvious that the above-presented authentication process andthe structure and content of messages transmitted in connection with itare only some advantageous examples of the operation according to anauthentication protocol (EAP/SIM). Within the scope of the presentinvention, it is also possible to use other message structures andauthentication data, wherein the details may be different from thosegiven in the example above. Neither is the invention limited solely tothe extendable authentication protocol, but also other commonauthentication protocols can be applied in connection with theinvention. What *is essential is that the smart card 15 is provided withan authentication protocol interface in which it is possible to processreceived messages related to the authentication, to form messages whichare related to the authentication and which shall be transmitted to theauthentication server 3, to process keys related to the authentication(e.g. to retrieve them from the read-only memory 17 of the smart cardand/or from the received message), as well as to verify the messagesrelated to the authentication. Thus, all the functions which aresubstantially related to the authentication in the terminal 5 can beplaced on the smart card 15.

[0044] The method according to the invention can also be applied in asituation in which the terminal 5 is coupled, for example, to theInternet data network 22 and a SIM card is used for user identification.Thus, the authentication server can be placed, for example, in theinterface between the Internet data network 22 and the mobilecommunication network, wherein the authentication server can communicatewith the authentication centre AuC of the mobile communication networkfor retrieving the necessary authentication data. The PPP protocol isused between the terminal 5 and a so-called network access server (NAS).The network access server communicates with the authentication server byusing the AAA protocol. In wireless local area networks, the situationis similar for the essential parts. Between the terminal and the accesspoint of the wireless local area network, e.g. the IEEE 802.1X protocolis used, which is based on the use of the EAP protocol. The access pointcommunicates with the authentication centre by using the AAA protocol.

[0045] By the method of the invention, the authentication protocol canbe changed, for example, by changing the smart card 15. Thus, such aprotocol can be used which is implemented on the new smart card 15 aswell as in the authentication server. For example, no changes need to bemade in the software of the terminal in connection with changing theauthentication protocol.

[0046] As the terminal 5, it is possible to use, for example, a wirelessterminal, such as a wireless communication device, such as Nokia 9210Communicator; or the like. The invention can also be applied, forexample, in the authentication of a work-station in a local areanetwork, and in the authentication of a computer to be coupled to theInternet data network 22 either by a wired or wireless connection.

[0047] The invention can also be applied in such a way that theextendable authentication protocol interface of the device 15 forverifying the rights to use allocates some of the cryptographiccomputational operations to be carried out in the terminal 5. Thecryptographic operations include, for example, encryption, decryption,hashing functions, message authentication code functions, checking ofcertificates, as well as other cryptographic operations related to thepublic key, such as the computing of Diffie-Hellman key exchange, etc.Some of these crypto-graphic operations require a large computationcapacity which can, in some applications, be more easily arranged in theterminal 5 than in the device 15 for verifying the rights to use.Furthermore, such operations are basic cryptographic operations whichare often implemented in universal libraries and do not necessarilyrequire software updates in the terminal 5. It is thus possible to usevarious identifications, on the basis of which the device 15 forverifying the rights to use can inform the terminal 5 about theoperation/algorithm to be used at a time and transmit the necessaryparameters via the extendable authentication protocol interface to theterminal 5. The terminal 5, in turn, transmits responses to theextendable authentication protocol interface of the device 15 forverifying the rights to use.

[0048] The invention can also be implemented in software by making oneor more computer programs, in which machine executable steps are definedfor performing the different steps of the present invention. Thecomputer program(s) can be stored on a storage medium for e.g.delivering the computer program(s) to users for installation of thecomputer-program(s) on the terminal 5 and/or on the device 15 forverifying the rights to use.

[0049] It is obvious that the present invention is not limited solely tothe above-presented embodiments, but it can be modified within the scopeof the appended claims.

1. A method for authenticating the user of a terminal, in which terminala device for verifying rights to use is applied for running anauthentication protocol, and which device for verifying the rights touse is connected to the terminal, wherein the device for verifying therights to use applies an extendable authentication protocol interface,through which at least some of the authentication functions areprocessed.
 2. The method according to claim 1, wherein, for userauthentication, at least the following steps are taken: a step oftransmitting a request, in which a request is transmitted to the devicefor verifying the rights to use, a step of processing the request, inwhich the request is processed in the extendable authentication protocolinterface to form a response, and a step of transmitting the response,in which the response formed in the extendable authentication protocolinterface is transmitted from the device for verifying the rights touse.
 3. The method according to claim 2, wherein in said request,information is transmitted about the authentication protocol to be usedfor user authentication.
 4. The method according to claim 3, wherein atleast one authentication algorithm to be used for authenticationaccording to the authentication protocol is stored in the device forverifying the rights to use.
 5. The method according to claim 4, whereinidentification data for identifying the user is stored in the device forverifying the rights to use, wherein in the step of processing therequest, said at least one authentication algorithm and theidentification data stored in the device for verifying the rights to useare used for user authentication.
 6. The method according to claim 1,wherein information is transmitted between the terminal and at least onecommunication network, wherein in the step of processing the request, atleast one cryptographic key is formed in the extendable authenticationprotocol interface, and that said at least one cryptographic key istransmitted from the device for verifying the rights to use to theterminal.
 7. The method according to claim 6, wherein said at least onecryptographic key is to be used for encryption of information to betransmitted between the terminal and the communication network.
 8. Anauthentication system comprising a terminal with means for connecting adevice for verifying the rights to use for at least authentication, thedevice for verifying the rights to use being equipped with means forrunning an authentication protocol, wherein the device for verifying therights to use is equipped with an extendable authentication protocolinterface as well as with means for implementing at least some of theauthentication functions via said extendable authentication protocolinterface.
 9. The system according to claim 8, wherein comprising meansfor transmitting a request to the device for verifying the rights touse, that the extendable authentication protocol interface comprisesmeans for processing the request and forming a response, and means fortransmitting the response formed in the extendable authenticationprotocol interface from the device for verifying the rights to use. 10.The system according to claim 9, wherein information about theauthentication protocol to be used for user authentication is arrangedto be transmitted in said request, and that at least one authenticationalgorithm to be used for authentication according to the authenticationprotocol is stored in the device for verifying the rights to use. 11.The system according to claim 10, wherein identification data foridentifying the user is stored in the device for verifying the rights touse, that the means for processing the request comprise means for usingsaid at least one authentication algorithm and the identification datastored in the device for verifying the rights to use, for userauthentication.
 12. The system according to claim 8, comprising meansfor transmitting information between the terminal and at least onecommunication network, wherein the extendable authentication protocolinterface comprises means for forming at least one cryptographic key,and that said at least one cryptographic key is arranged to betransmitted from the device for verifying the rights to use to theterminal.
 13. The system according to claim 12, wherein it comprisesmeans for using said at least one cryptographic key for the encryptionof information to be transmitted between the terminal and thecommunication network.
 14. A terminal equipped with means for connectinga device for verifying the rights to use, at least for authentication,the device for verifying the rights to use being equipped with means forrunning an authentication protocol, wherein the device for verifying therights to use is equipped with an extendable authentication protocolinterface as well as with means for implementing at least some of theauthentication functions via said extendable authentication protocolinterface.
 15. A terminal according to claim 14, wherein it comprisesmeans for performing mobile station functions.
 16. A device forverifying the rights to use, to be used for user identification, theauthorization device comprising means for running an authenticationprotocol, wherein the device for verifying the rights to use is equippedwith an extendable authentication protocol interface as well as withmeans for performing at least some of the authentication functions viasaid extendable authentication protocol interface.
 17. The authorizationdevice according to claim 16, wherein it is a mobile subscriberidentification card.
 18. A computer program comprising machineexecutable steps for authenticating the user of a terminal equipped witha device for verifying the rights to use, the device for verifying therights to use being applied for running an authentication protocol,wherein the computer program further comprises machine executable stepsfor applying an extendable authentication protocol interface in thedevice for verifying the rights to use, including machine executablesteps for processing at least some of the authentication functionsthrough the extendable authentication protocol interface.
 19. Thecomputer program according to claim 18, wherein, for userauthentication, it comprises at least the following machine executablesteps: a step of transmitting a request, in which a request istransmitted to the device for verifying the rights to use, a step ofprocessing the request, in which the request is processed in theextendable authentication protocol interface to form a response, and astep of transmitting the response, in which the response formed in theextendable authentication protocol interface is transmitted from thedevice for verifying the rights to use.
 20. A storage medium for storinga computer program comprising machine executable steps forauthenticating the user of a terminal equipped with a device forverifying the rights to use, the device for verifying the rights to usebeing applied for running an authentication protocol, wherein thecomputer program further comprises machine executable steps for applyingan extendable authentication protocol interface in the device forverifying the rights to use, including machine executable steps forprocessing at least some of the authentication functions through theextendable authentication protocol interface.